Why is everyone talking about zero trust?

Tuesday, 28 November, 2023

decorative: image of a phone with a login screen and the tickbox with ‘remember this device’ shown prominently

You might have heard people saying: “Never trust, always verify”. It suggests that, by default, users or devices should not be trusted, even if they have been verified previously.

You’ve probably seen the option to “remember this device” when you’re signing in to a social media account. The zero trust approach goes against this. Trust shouldn’t be granted completely, or forever - it should be continually challenged by requiring verification.

It’s not just a cyber security buzzword

The term is something that’s been more prominent in the last decade. Increasing government and framework guidance recommending it has placed zero trust at the top of the agenda for many companies.

Is it actually important? Well yes, with a greater shift to cloud and digital adoption within businesses, security gaps have been highlighted. Zero trust addresses those gaps by providing greater security maturity. It’s paved the way for the ideal future approaches to cyber security.

To understand if it’s right for you, you should consider how your business operates:

  • Do you use offices that are geographically distributed?
  • Do you allow remote working?
  • Do you have third party users requiring access?

If your answers to those are mostly “Yes”, zero trust is probably going to be more important for you.

It’s well suited to modern ways of doing business

Traditional networks were designed around workers being in an office together, doing all their work across the local network. They were focused around firewalls where everything inside the perimeter is trusted and anything external isn’t. The problem here is that there’s the opportunity for movement within your network, as the access isn’t as restricted and so the attack potential is greater.

Things are different now. With increased remote working, ways of working are more decentralised and distributed, and zero trust is a solution to help keep things secure.

Zero trust’s implements micro segmentation, whereby each segment requires authentication. That limits the access and attack potential.

So, if you’re looking for a business case to implement zero trust it’s reasonably likely you’ll have a case through the way your business operates, if you operate from different locations or support remote working.

There’s no ‘one size fits all’ approach

Zero trust implementation is generally stretched over the five pillars: identity, device, data, workload and network. You may have different strategies in comparison to another company’s implementation.

Your strategy may be a mix of various implementations of technology. You don’t have to deploy everything. But it’s important to understand your business and what kind of assets you need to secure to ensure you find the strategy that works best for you. It might even depend on the types of threats within your industry.

It all goes back to thinking about “What are you defending?”.

For example: if you hold lots of personal data then you may be concerned with the identity pillar to ensure accounts are secure, and the device pillar to ensure data is not exfiltrated from an endpoint. On the other hand, if you’re a manufacturer, you’re likely to be concerned about the availability of your systems to continue operating, so may look to focus more on networks.

You might also be concerned about third party access to your business. Lots of companies use outsourced providers or contractors, who have some kind of access into the network. If so, then you might look to focus on your network and limit lateral movement that could happen from a user account.

Don’t run before you can walk

Adopting a zero trust strategy is time consuming and can be costly, in terms of personnel or technology. Of course, it depends on what you plan to implement and if you already have deployed (or not deployed!) certain solutions. However, it’s still likely to be a process that happens over a matter of years, rather than months.

Take devices for example: if you don’t know what or where your assets are, then how do you plan on managing and maintaining them? Likewise with any zero trust pillar, there may be steps you need to take before you can deploy solutions to protect your assets.

It’s why businesses sometimes break it down into smaller phases, with focus on implementation on a certain pillar before moving on to the next. Similarly, some businesses may choose to limit the scope of their implementation, such as just across critical assets, before extending to the whole business.

Consider it the future

Even if it’s not quite on your roadmap yet, zero trust is likely to be the future of your organisation’s approach to cyber security.

Securing your attack surface is important. A zero trust strategy helps you to have greater control over, and visibility into, how your systems are used.

Timing is also important - consider your supply chain. If you have a greater level of security due to zero trust being implemented, is the company looking to purchase your services more likely to go ahead with working with you? If the government is providing guidance and recommending zero trust, then will adopting zero trust help you win more contracts? So while it may not be necessary now, there might be benefits of you adopting it sooner rather than later.

Zero trust won’t eliminate all exposure to risk, but we think it’s a good stance to have. That’s why everyone is talking about it.

Headline photo created by the team using Mockup in Figma